[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] Re: CVE Request -- OfflineIMAP -- 1), failed to validate remote
From:       Johannes Stezenbach <js () sig21 ! net>
Date:       2010-12-23 19:26:03
Message-ID: 20101223192602.GA4105 () sig21 ! net
[Download RAW message or body]

On Thu, Dec 23, 2010 at 07:55:50PM +0100, Nicolas Sebrecht wrote:
> On Thu, Dec 23, 2010 at 03:43:40PM +0100, Jan Lieskovsky wrote:
> > 
> >   II), Allows SSLv2 protocol
...
> >   [6] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=606962

Please note that I reported this issue for the python2.6
package and not for the offlineimap package.  While I
noticed it with offlineimap, I think the bug is either
in Python or in openssl.  According to Python documentation
it should default to use SSLv3.

OTOH it wouldn't hurt if offlineimap would allow the user
to specify the protocol version (TLSv1, SSLv3, SSLv2).


Thanks
Johannes
[prev in list] [next in list] [prev in thread] [next in thread]